When working with PX Policies or TEWS in order to add, remove, modify the AD groups on an AD Account or AD Template you need to reference the AD groups by their IAMHandle.

Background:

IM uses the jiam.jar layer to communicate with the Provisioning Server so the AD Endpoint Group value must be in an IAMHandle format.

Instructions:

Here is what the IAMHandle for an AD group called "Administrators" in the default Container called "Builtin" on an AD Endpoint called "MyEndpoint" as well as what the IAMHandle for an AD group called "TestGroup" in an Org Unit called "MyOU" on an AD Endpoint called "MyEndpoint" would look like as these would be referenced in a PX Policy: